Add session when updating password as a user (#30125)

* initial changes * add tests * remove namespaces * Update test/metabase/api/user_test.clj Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com> --------- Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>

Add session when updating password as a user (#30125)
6c9f8ca3 · Jerry Huang · GitHub · 2151f546 · 6c9f8ca3 · 6c9f8ca3
Unverified Commit 6c9f8ca3 authored 2 years ago by Jerry Huang Committed by GitHub 2 years ago
--- a/src/metabase/api/user.clj
+++ b/src/metabase/api/user.clj
@@ -8,6 +8,7 @@
   [metabase.api.common :as api]
   [metabase.api.common.validation :as validation]
   [metabase.api.ldap :as api.ldap]
+   [metabase.api.session :as api.session]
   [metabase.email.messages :as messages]
   [metabase.integrations.google :as google]
   [metabase.models.collection :as collection :refer [Collection]]
@@ -17,6 +18,8 @@
   [metabase.plugins.classloader :as classloader]
   [metabase.public-settings.premium-features :as premium-features]
   [metabase.server.middleware.offset-paging :as mw.offset-paging]
+   [metabase.server.middleware.session :as mw.session]
+   [metabase.server.request.util :as request.u]
   [metabase.util :as u]
   [metabase.util.i18n :refer [tru]]
   [metabase.util.password :as u.password]
@@ -385,20 +388,23 @@
 #_{:clj-kondo/ignore [:deprecated-var]}
 (api/defendpoint-schema PUT "/:id/password"
  "Update a user's password."
-  [id :as {{:keys [password old_password]} :body}]
+  [id :as {{:keys [password old_password]} :body, :as request}]
  {password su/ValidPassword}
  (check-self-or-superuser id)
-  (api/let-404 [user (t2/select-one [User :password_salt :password], :id id, :is_active true)]
+  (api/let-404 [user (t2/select-one [User :id :last_login :password_salt :password], :id id, :is_active true)]
    ;; admins are allowed to reset anyone's password (in the admin people list) so no need to check the value of
    ;; `old_password` for them regular users have to know their password, however
    (when-not api/*is-superuser?*
      (api/checkp (u.password/bcrypt-verify (str (:password_salt user) old_password) (:password user))
-        "old_password"
-        (tru "Invalid password"))))
-  (user/set-password! id password)
-  ;; return the updated User
-  (fetch-user :id id))
-
+                  "old_password"
+                  (tru "Invalid password")))
+    (user/set-password! id password)
+    ;; after a successful password update go ahead and offer the client a new session that they can use
+    (when (= id api/*current-user-id*)
+      (let [{session-uuid :id, :as session} (api.session/create-session! :password user (request.u/device-info request))
+            response                        {:success    true
+                                             :session_id (str session-uuid)}]
+        (mw.session/set-session-cookies request response session (t/zoned-date-time (t/zone-id "GMT")))))))

 ;;; +----------------------------------------------------------------------------------------------------------------+
 ;;; |                             Deleting (Deactivating) a User -- DELETE /api/user/:id                             |

--- a/test/metabase/api/user_test.clj
+++ b/test/metabase/api/user_test.clj
@@ -969,6 +969,20 @@
                                   {:password     "whateverUP12!!"
                                    :old_password "mismatched"}))))))

+(deftest reset-password-session-test
+  (testing "PUT /api/user/:id/password"
+    (testing "Test that we return a session if we are changing our own password"
+      (mt/with-temp User [user {:password "def", :is_superuser false}]
+        (let [creds {:username (:email user), :password "def"}]
+          (is (schema= {:session_id (s/pred mt/is-uuid-string? "session")
+                        :success    (s/eq true)}
+                       (mt/client creds :put 200 (format "user/%d/password" (:id user)) {:password     "abc123!!DEF"
+                                                                                         :old_password "def"}))))))
+
+    (testing "Test that we don't return a session if we are changing our someone else's password as a superuser"
+      (mt/with-temp User [user {:password "def", :is_superuser false}]
+        (is (nil? (mt/user-http-request :crowberto :put 204 (format "user/%d/password" (:id user)) {:password     "abc123!!DEF"
+                                                                                                    :old_password "def"})))))))

 ;;; +----------------------------------------------------------------------------------------------------------------+
 ;;; |                             Deleting (Deactivating) a User -- DELETE /api/user/:id                             |